Iptables configuration from container

Hello,

I’ve faced an issue regarding iptables configuration. Due to the fact that one of my containers is communicating via UDP on ports that are configurable I cannot use ports binding in docker-compose files. Rader than that I came across solution to tweak with iptables on my own to accomplish kind of dynamic port binding.

Unfortunatelly I cannot change host’s machine iptables from container. I am running the container in network mode “host” with NET_ADMIN and NET_RAW capabilities added - as far as I’m concerned this should be enough to see host’s iptables rules inside the container.

Here are sample iptables rules on the host machine:

apalis-imx6-10767568:~$ sudo iptables --list
Password:
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

and this is inside the container

torizon@apalis-imx6-10767568:/init$ iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

As you can see the chains are not even the same. Adding some rules inside container does not affect host’s rules and vice versa.

I found someone who claimed that older Kernel version caused the same effect. Can it be the problem or maybe there is some explanation why this is problematic?

Best Regards,
Kacper

Greetings @Kacper,

I did a quick test and got a similar result to you. However when I ran iptables inside a container I got this message as well:

# Warning: iptables-legacy tables present, use iptables-legacy to see them

I then used iptables-legacy inside the container instead. With this I got a much better looking result:

root@apalis-imx8-06738453:/# iptables-legacy --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (1 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

As far as I can tell this seems to match the iptables output on the host outside of the container. I assume the versions of iptables outside and inside the container differ enough, which is why iptables-legacy is needed. Could you give this a try and let me know if this also works for you.

Best Regards,
Jeremias

Hello @jeremias.tx,

Thank you for testing. I’ve managed to get it working.

What’s interesting I did not see this warning prompt when using torizon user inside container. Using iptables-legacy and tweaking with some permissions and capabilities inside containers did the job and I am able to change rules as torizon user from container.

Thank you once again.
Best regards,
Kacper

Interesting that the warning prompt doesn’t show up for torizon user. Well glad we were able to sort it out however.